Security & Privacy
How Zyper AIO protects local keys, updates, and license state.
Zyper AIO’s security model is local-first: sensitive stores are encrypted on disk, update artifacts are verified before install, and license state is bound to your machine server-side.
Local encryption
These stores are DPAPI-encrypted on Windows:
wallets.datsolana_wallets.datbitcoin_wallets.datrpc.datproxies.dataccounts.dat
DPAPI uses your Windows user and machine context. There is no app-level password prompt and no separate recovery key.
Files Not Encrypted
Not every local file is sealed. Examples include tasks.json, license.json, flashbots.key, NFT caches, PnL config, custom PnL backgrounds, account auth status, browser profiles, and logs.
Those files should not contain wallet private keys. Browser profiles can contain site cookies, so treat the Windows user profile as sensitive.
Updates
The desktop updater verifies the release manifest signature, the downloaded binary signature, and version ordering so a signed older build is not accepted as an update.
If signature verification fails, the updater refuses to apply the update and logs the reason.
Extension Download
The Zyper Capture extension is installed separately as an unpacked browser extension. Its download path and hash sidecar are separate from the desktop binary signature flow.
License and HWID
Activation binds a license key to a machine identifier on the server. license.json stores local activation state, but the server binding is what prevents the same key from being reused on another machine without reset.
What this does not protect against
- Malware running as your Windows user.
- Someone who can control your desktop session.
- A compromised browser profile or account session.
- Phishing that convinces you to paste a private key or license key into the wrong place.